Why SMEs need Data Protection Compliance Organisation (DPCO)

The Nigeria Data Protection Regulation (NDPR) 2019 places responsibilities on organisations that handle personal data, including SMEs and startups. Additionally, customers value data protection, and having the support of a data protection compliance organisation can help these businesses differentiate themselves from their competitors and maintain customer trust.


Article 4.1(4) of the Nigeria Data Protection Regulation (NDPR) 2019, empowers the National Information Technology Development Agency (NITDA) to register and licence Data Protection Compliance Organisations (DPCOs) to provide data protection compliance services to all organisations which process personal data of Nigerian citizens and residents (this mandate is now being carried out by the Nigeria Data Protection Bureau (NDPB) following its establishment in February 2022). 


A DPCO may be any of the following organisations:

  1. Professional Service Consultancy firm
  2.  IT Service Provider
  3. Audit firm
  4.  Law firm (For example, Olisa Agbakoba Legal is a licensed DPCO and can assist an organisation with data protection compliance)


Also read: Filing annual returns in Nigeria: Implication of non-compliance


SMEs and startups require data protection compliance organisations under the Nigeria data protection regulation for several reasons:

  1. Regulatory Compliance:

    The Nigeria Data Protection Regulation (NDPR) requires organisations that process personal data to conduct a privacy audit, with failure to comply resulting in penalties, investigations, and reputational damage. Data protection compliance organisations can assist SMEs and startups in complying with the NDPR and avoiding legal consequences such as penalties.

  2. Review of data protection policies:

    The NDPR mandates organisations to make available to the general public their respective data protection Policies. A DPCO can draft or review those policies in compliance with this Regulation and in line with global data privacy and protection best practices

  3. Risk Assessment and Management:

    SMEs and startups face many risks, including cyber threats, data breaches, and legal liabilities. A DPCO while conducting an audit assesses the internal controls and data privacy processes of an organisation thus, identifying and mitigating these risks. This can reduce the likelihood of data breaches and other security incidents.

  4. Employee training or capacity building:

    A DPCO can conduct training for employees in data-handling organisations. This helps to raise awareness of the need to protect customer data, restrict access to a need-to-know basis and reduce the risk of an internal data breach.

It is essential to note that where a Data Controller processes data of more than 10,000 Data Subjects breach their data privacy rights, it will be liable to pay a fine of 2% of the organisation’s annual gross revenue of the preceding year or the payment of the sum of N10,000,000 (Ten Million Naira), whichever is greater.  Conversely, where a Data Controller processes less than 10,000 Data Subjects, the penalty for not complying with the provisions of the NDPR is the payment of 1% of the annual gross revenue or N2,000,000 two million naira, whichever is greater.

Some other services that a DPCO can assist with include:

  1. Data protection and privacy advisory services
  2. External Data Protection Officer
  3. Data breach reporting 
  4. Data privacy breach impact assessment
  5. Data Protection and Privacy Due Diligence 

Organisations should prioritise engaging the services of a DPCO in complying with Data privacy and protection laws and global best practices. 


Beverley Agbakoba-Onyejianya
Esther Odunze